- Bronze, 100 points or more
Does ACS have any way of saying "If a user is authenticating to deviceA, use externalDB1 for the password, but if they are authenticating to deviceB, then use externalDB2"?
An example of how this is practical is that our security policy dictates that users have a seperate password for their VPN account vs their AD account. Idea being if their VPN password is compromised, they can't log into any other machines or if a users AD password is compromised, it cant be used for remote access. The users authenticate to ACS via RADIUS from the VPN device, what if that user needs to authenticate to a router as well via TACACS, which also talks to ACS... and their permitted to use their LDAP / AD password to access the routers etc. I'd like requests from the routers for user A to use LDAP, but requests from the VPN device for user A to use a local ACS username / Password.
The only way around this that I know of is to use a seperate username for VPN access, like userAvpn, and have a local username / pw in ACS for userAvpn. I want to keep as much authentication centralized as I can, it makes logging and management easier, but ACS doesn't seem to want to play nice...
Is this somthing ACS 5.1 can do?